init: copy from lawndale-infra

2022-05-27 02:51:52 +02:00
commit 6a60d271bf
18 changed files with 1126 additions and 0 deletions
--- a/bootstrap_token.tf
+++ b/bootstrap_token.tf
@@ -0,0 +1,86 @@
+resource "random_password" "bootstrap_token_id" {
+  special = false
+  upper   = false
+  length  = 6
+}
+
+resource "random_password" "bootstrap_token_secret" {
+  special = false
+  upper   = false
+  length  = 16
+}
+
+resource "time_rotating" "bootstrap_expiry_base" {
+  rotation_days = 60
+}
+
+resource "kubernetes_secret" "bootstrap_token" {
+  metadata {
+    name      = "bootstrap-token-${random_password.bootstrap_token_id.result}"
+    namespace = "kube-system"
+  }
+
+  type = "bootstrap.kubernetes.io/token"
+
+  data = {
+    "token-id"     = random_password.bootstrap_token_id.result
+    "token-secret" = random_password.bootstrap_token_secret.result
+
+    "usage-bootstrap-authentication" = "true"
+    "usage-bootstrap-signing"        = "true"
+
+    "auth-extra-groups" = "system:bootstrappers:worker,system:bootstrappers:ingress"
+
+    "expiration" = timeadd(time_rotating.bootstrap_expiry_base.id, "${90 * 24}h")
+  }
+
+}
+
+resource "kubernetes_cluster_role_binding" "auto_approve_node_csrs" {
+  metadata {
+    name = "auto-approve-csrs-for-nodes"
+  }
+  subject {
+    kind      = "Group"
+    name      = "system:bootstrappers"
+    api_group = "rbac.authorization.k8s.io"
+  }
+  role_ref {
+    kind      = "ClusterRole"
+    name      = "system:certificates.k8s.io:certificatesigningrequests:nodeclient"
+    api_group = "rbac.authorization.k8s.io"
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "auto_approve_node_renewals" {
+  metadata {
+    name = "auto-approve-renewals-for-nodes"
+  }
+  subject {
+    kind      = "Group"
+    name      = "system:nodes"
+    api_group = "rbac.authorization.k8s.io"
+  }
+  role_ref {
+    kind      = "ClusterRole"
+    name      = "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient"
+    api_group = "rbac.authorization.k8s.io"
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "nodes_create_csrs" {
+  metadata {
+    name = "create-csrs-for-node-bootstrappers"
+  }
+  subject {
+    kind      = "Group"
+    name      = "system:bootstrappers"
+    api_group = "rbac.authorization.k8s.io"
+  }
+
+  role_ref {
+    kind      = "ClusterRole"
+    name      = "system:node-bootstrapper"
+    api_group = "rbac.authorization.k8s.io"
+  }
+}